Before You Start
You need an account that can create app registrations and grant tenant-wide admin consent for Microsoft Graph application permissions. In many tenants this means a Global Administrator, Cloud Application Administrator plus consent rights, or a Privileged Role Administrator workflow.
- Use a dedicated app registration for EndpointClarity. Do not reuse an app that powers another automation.
- Use application permissions, not delegated permissions. EndpointClarity reporting should run without a signed-in user.
- Grant only read-only permissions unless a future feature explicitly requires write access.
- Store the client secret value immediately after creating it. Microsoft only shows the value once.
1
Create the Microsoft Entra App Registration
- Open the Microsoft Entra admin center.
- Go to Identity, then Applications, then App registrations.
- Select New registration.
- Name the app something clear, such as
EndpointClarity Reporting.
- For supported account types, choose Accounts in this organizational directory only.
- Leave the redirect URI blank. EndpointClarity uses application credentials, not an interactive browser sign-in flow.
- Select Register.
Naming recommendation:
Use a name that includes the product and purpose. For example: EndpointClarity - Intune Reporting - Read Only. This makes access reviews and audit reviews easier later.
2
Record the Tenant ID and Client ID
After the app registration is created, open the app's Overview page and copy these values:
- Directory (tenant) ID: This identifies your Microsoft Entra tenant.
- Application (client) ID: This identifies the app registration EndpointClarity will use.
You will paste both values into the EndpointClarity dashboard under Graph Connection.
3
Add Read-Only Microsoft Graph Application Permissions
- In the app registration, open API permissions.
- Select Add a permission.
- Choose Microsoft Graph.
- Choose Application permissions.
- Search for and add the permissions listed below.
| Permission |
Why EndpointClarity Uses It |
Access Type |
User.Read.All |
Read user account properties used to associate devices, ownership, department, user principal name, and reporting context. |
Read only |
Group.Read.All |
Read group names and memberships where reporting needs assignment or audience context for policies, apps, or device groups. |
Read only |
Device.Read.All |
Read Microsoft Entra device objects and device directory metadata used for inventory and account-device relationships. |
Read only |
DeviceManagementManagedDevices.Read.All |
Read Microsoft Intune managed device records, including ownership, compliance state, operating system, model, enrollment, and last check-in signals. |
Read only |
DeviceManagementConfiguration.Read.All |
Read Intune device configuration and compliance policies, including assignment information used for policy visibility and reporting. |
Read only |
DeviceManagementApps.Read.All |
Read Intune app inventory, app configuration, app protection policy, assignment, and status details for application reporting. |
Read only |
DeviceManagementServiceConfig.Read.All |
Read Intune service configuration information where needed for tenant-level device management reporting context. |
Read only |
Reports.Read.All |
Read available Microsoft 365 and Graph reporting data where EndpointClarity uses reporting endpoints for summary views. |
Read only |
Important:
Do not add ReadWrite permissions for this reporting setup. EndpointClarity's reporting workflow should not need permissions that can create, update, delete, wipe, retire, or modify devices, apps, or policies.
4
Grant Admin Consent
After adding the application permissions, select Grant admin consent for your tenant. Microsoft Graph application permissions do not become usable until an authorized administrator grants consent.
- Review the full permission list before granting consent.
- Confirm every permission is read-only.
- Select Grant admin consent.
- Verify the status column shows consent granted for each permission.
If your organization uses Privileged Identity Management or approval workflows, activate the required role or submit the consent request through your normal access process.
5
Create a Client Secret
- In the app registration, open Certificates & secrets.
- Select Client secrets, then New client secret.
- Use a clear description, such as
EndpointClarity reporting secret.
- Choose an expiration aligned with your organization's credential rotation policy.
- Select Add.
- Copy the Value immediately. Do not copy the Secret ID.
Secret value versus Secret ID:
EndpointClarity needs the secret Value. Microsoft only shows this value once. If it is lost, create a new client secret and use the new value.
6
Save the Values in EndpointClarity
Open the EndpointClarity dashboard and go to Graph Connection. Enter:
- Tenant ID: The Directory (tenant) ID from the app overview page.
- Client ID: The Application (client) ID from the app overview page.
- Client Secret: The client secret Value from Certificates & secrets.
After saving, EndpointClarity stores the connection details for your account and uses them for read-only reporting workflows.
Validation Checklist
Before considering setup complete, confirm these items:
App registration existsThe app has a clear reporting-specific name.
Application permissions selectedThe app uses Microsoft Graph application permissions, not delegated permissions.
Read-only permissions onlyNo ReadWrite, wipe, delete, or policy modification permissions were added.
Admin consent grantedEach permission shows granted consent for the tenant.
Secret value savedThe client secret Value, not Secret ID, was entered in EndpointClarity.
Expiration trackedThe secret expiration date is documented for future rotation.
Security and Operations Notes
- Use least privilege. Microsoft recommends requesting only the permissions an app needs. Keep this app limited to read-only reporting permissions.
- Separate reporting from administration. Do not use the same app registration for scripts or automations that modify Intune objects.
- Rotate secrets. Track the expiration date and rotate before it expires. Create the new secret, update EndpointClarity, verify reporting, then remove the old secret.
- Review consent periodically. Include the app registration in your access reviews so permissions remain aligned with the reporting scope.
- Remove unused permissions. If a report type is not used, remove any permission that only supported that report type.
Troubleshooting
- Unauthorized or forbidden errors: Confirm admin consent is granted and the permission is an application permission.
- Intune data missing: Confirm the tenant has the required Intune licensing and that the app has the Intune read permissions listed above.
- Secret rejected: Confirm you copied the client secret Value, not the Secret ID.
- Policies not visible: Confirm
DeviceManagementConfiguration.Read.All is granted and consented.
- Managed apps not visible: Confirm
DeviceManagementApps.Read.All is granted and consented.
Official Microsoft References